ArchiveOODA Original

Flaws in the U.S. Vulnerabilities Equities Process

Last week, the security community was in a flurry around the disclosure of a severe vulnerability (known as CVE-2020-0601) in Microsoft’s Windows operating system. Notably, it was because the National Security Agency (NSA) tipped off Microsoft, helping the tech giant patch the flaw instead of exploiting it for national security missions. NSA was praised for its cultural shift from offense to defense, however, in my opinion, not all that glitters is gold.

This event has brought much needed attention to the Vulnerabilities Equities Process (VEP)—the manner by which the U.S. government determines whether to withhold or disclose zero-day vulnerabilities. The inherent struggle between competing offensive and defensive interests makes the VEP incredibly difficult to implement.

Want more insight? Log in for the full report

This content is restricted to OODA Network members only. Members get access to all site content plus access to exclusive reports and events. Please consider becoming a member. For more information please click here. Thanks!

Already a member?  Sign in to your account.

Cindy Martinez

Cindy Martinez

Cindy Martinez has spent her career focusing on cutting edge and complex issues at the forefront of national security. She served 5 years at the Department of Homeland Security where she advised senior leadership on cybersecurity and emerging technology trends. She also negotiated policies and recommended solutions in order to create new Federal initiatives and evaluate the U.S. Government’s effectiveness in areas such as artificial intelligence, offensive cyber operations, vulnerability disclosure, and the national security space domain. She is an analyst with OODA LLC , which publishes CTOvision.com and OODAloop.com.